RWGuard: A real-time detection system against cryptographic ransomware

Shagufta Mehnaz, Anand Mudgerikar, Elisa Bertino

Research output: Chapter in Book/Report/Conference proceedingConference contribution

74 Scopus citations


Ransomware has recently (re)emerged as a popular malware that targets a wide range of victims - from individual users to corporate ones for monetary gain. Our key observation on the existing ransomware detection mechanisms is that they fail to provide an early warning in real-time which results in irreversible encryption of a significant number of files while the post-encryption techniques (e.g., key extraction, file restoration) suffer from several limitations. Also, the existing detection mechanisms result in high false positives being unable to determine the original intent of file changes, i.e., they fail to distinguish whether a significant change in a file is due to a ransomware encryption or due to a file operation by the user herself (e.g., benign encryption or compression). To address these challenges, in this paper, we introduce a ransomware detection mechanism, RWGuard, which is able to detect crypto-ransomware in real-time on a user’s machine by (1) deploying decoy techniques, (2) carefully monitoring both the running processes and the file system for malicious activities, and (3) omitting benign file changes from being flagged through the learning of users’ encryption behavior. We evaluate our system against samples from 14 most prevalent ransomware families to date. Our experiments show that RWGuard is effective in real-time detection of ransomware with zero false negative and negligible false positive (~ 0.1%) rates while incurring an overhead of only ~1.9%.

Original languageEnglish (US)
Title of host publicationResearch in Attacks, Intrusions, and Defenses - 21st International Symposium, RAID 2018, Proceedings
EditorsMichael Bailey, Sotiris Ioannidis, Manolis Stamatogiannakis, Thorsten Holz
PublisherSpringer Verlag
Number of pages23
ISBN (Print)9783030004699
StatePublished - 2018
Event21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018 - Heraklion, Greece
Duration: Sep 10 2018Sep 12 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11050 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'RWGuard: A real-time detection system against cryptographic ransomware'. Together they form a unique fingerprint.

Cite this